feat: auditing settings (#33935)

Author: ggazzo

apps/meteor/app/api/server/v1/assets.ts

@@ -1,6 +1,7 @@
 import { Settings } from '@rocket.chat/models';
 import { isAssetsUnsetAssetProps } from '@rocket.chat/rest-typings';
 
+import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { RocketChatAssets, refreshClients } from '../../../assets/server';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 import { settings } from '../../../settings/server';
@@ -36,7 +37,12 @@ API.v1.addRoute(
 
 			const { key, value } = await RocketChatAssets.setAssetWithBuffer(fileBuffer, mimetype, assetName);
 
-			const { modifiedCount } = await Settings.updateValueById(key, value);
+			const { modifiedCount } = await updateAuditedByUser({
+				_id: this.userId,
+				username: this.user.username!,
+				ip: this.requestIp,
+				useragent: this.request.headers['user-agent'] || '',
+			})(Settings.updateValueById, key, value);
 
 			if (modifiedCount) {
 				void notifyOnSettingChangedById(key);
@@ -68,7 +74,12 @@ API.v1.addRoute(
 
 			const { key, value } = await RocketChatAssets.unsetAsset(assetName);
 
-			const { modifiedCount } = await Settings.updateValueById(key, value);
+			const { modifiedCount } = await updateAuditedByUser({
+				_id: this.userId,
+				username: this.user.username!,
+				ip: this.requestIp,
+				useragent: this.request.headers['user-agent'] || '',
+			})(Settings.updateValueById, key, value);
 
 			if (modifiedCount) {
 				void notifyOnSettingChangedById(key);

apps/meteor/app/api/server/v1/misc.ts

@@ -20,6 +20,7 @@ import { v4 as uuidv4 } from 'uuid';
 
 import { i18n } from '../../../../server/lib/i18n';
 import { SystemLogger } from '../../../../server/lib/logger/system';
+import { resetAuditedSettingByUser, updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { getLogs } from '../../../../server/stream/stdout';
 import { passwordPolicy } from '../../../lib/server';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
@@ -683,20 +684,32 @@ API.v1.addRoute(
 
 			settingsIds.push('Deployment_FingerPrint_Verified');
 
+			const auditSettingOperation = updateAuditedByUser({
+				_id: this.userId,
+				username: this.user.username!,
+				ip: this.requestIp,
+				useragent: this.request.headers['user-agent'] || '',
+			});
+
 			const promises = settingsIds.map((settingId) => {
 				if (settingId === 'uniqueID') {
-					return Settings.resetValueById('uniqueID', process.env.DEPLOYMENT_ID || uuidv4());
+					return auditSettingOperation(Settings.resetValueById, 'uniqueID', process.env.DEPLOYMENT_ID || uuidv4());
 				}
 
 				if (settingId === 'Cloud_Workspace_Access_Token_Expires_At') {
-					return Settings.resetValueById('Cloud_Workspace_Access_Token_Expires_At', new Date(0));
+					return auditSettingOperation(Settings.resetValueById, 'Cloud_Workspace_Access_Token_Expires_At', new Date(0));
 				}
 
 				if (settingId === 'Deployment_FingerPrint_Verified') {
-					return Settings.updateValueById('Deployment_FingerPrint_Verified', true);
+					return auditSettingOperation(Settings.updateValueById, 'Deployment_FingerPrint_Verified', true);
 				}
 
-				return Settings.resetValueById(settingId);
+				return resetAuditedSettingByUser({
+					_id: this.userId,
+					username: this.user.username!,
+					ip: this.requestIp,
+					useragent: this.request.headers['user-agent'] || '',
+				})(Settings.resetValueById, settingId);
 			});
 
 			(await Promise.all(promises)).forEach((value, index) => {

apps/meteor/app/api/server/v1/settings.ts

@@ -17,6 +17,7 @@ import { Meteor } from 'meteor/meteor';
 import type { FindOptions } from 'mongodb';
 import _ from 'underscore';
 
+import { updateAuditedByUser } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { disableCustomScripts } from '../../../lib/server/functions/disableCustomScripts';
 import { notifyOnSettingChanged, notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
@@ -200,9 +201,16 @@ API.v1.addRoute(
 					return API.v1.success();
 				}
 
+				const auditSettingOperation = updateAuditedByUser({
+					_id: this.userId,
+					username: this.user.username!,
+					ip: this.requestIp,
+					useragent: this.request.headers['user-agent'] || '',
+				});
+
 				if (isSettingColor(setting) && isSettingsUpdatePropsColor(this.bodyParams)) {
 					const updateOptionsPromise = Settings.updateOptionsById<ISettingColor>(this.urlParams._id, { editor: this.bodyParams.editor });
-					const updateValuePromise = Settings.updateValueNotHiddenById(this.urlParams._id, this.bodyParams.value);
+					const updateValuePromise = auditSettingOperation(Settings.updateValueNotHiddenById, this.urlParams._id, this.bodyParams.value);
 
 					const [updateOptionsResult, updateValueResult] = await Promise.all([updateOptionsPromise, updateValuePromise]);
 
@@ -214,7 +222,12 @@ API.v1.addRoute(
 				}
 
 				if (isSettingsUpdatePropDefault(this.bodyParams)) {
-					const { matchedCount } = await Settings.updateValueNotHiddenById(this.urlParams._id, this.bodyParams.value);
+					const { matchedCount } = await auditSettingOperation(
+						Settings.updateValueNotHiddenById,
+						this.urlParams._id,
+						this.bodyParams.value,
+					);
+
 					if (!matchedCount) {
 						return API.v1.failure();
 					}

apps/meteor/app/apps/server/bridges/settings.ts

@@ -3,6 +3,7 @@ import type { ISetting } from '@rocket.chat/apps-engine/definition/settings';
 import { ServerSettingBridge } from '@rocket.chat/apps-engine/server/bridges/ServerSettingBridge';
 import { Settings } from '@rocket.chat/models';
 
+import { updateAuditedByApp } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { notifyOnSettingChanged, notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 
 export class AppSettingBridge extends ServerSettingBridge {
@@ -56,7 +57,15 @@ export class AppSettingBridge extends ServerSettingBridge {
 			throw new Error(`The setting "${setting.id}" is not readable.`);
 		}
 
-		(await Settings.updateValueById(setting.id, setting.value)).modifiedCount && void notifyOnSettingChangedById(setting.id);
+		if (
+			(
+				await updateAuditedByApp({
+					_id: appId,
+				})(Settings.updateValueById, setting.id, setting.value)
+			).modifiedCount
+		) {
+			void notifyOnSettingChangedById(setting.id);
+		}
 	}
 
 	protected async incrementValue(id: string, value: number, appId: string): Promise<void> {

apps/meteor/app/authentication/server/startup/index.js

@@ -338,6 +338,7 @@ Accounts.insertUserDoc = async function (options, user) {
 		if (!roles.includes('admin') && !hasAdmin) {
 			roles.push('admin');
 			if (settings.get('Show_Setup_Wizard') === 'pending') {
+				// TODO: audit
 				(await Settings.updateValueById('Show_Setup_Wizard', 'in_progress')).modifiedCount &&
 					void notifyOnSettingChangedById('Show_Setup_Wizard');
 			}

apps/meteor/app/cloud/server/functions/getOAuthAuthorizationUrl.ts

@@ -1,6 +1,7 @@
 import { Settings } from '@rocket.chat/models';
 import { Random } from '@rocket.chat/random';
 
+import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 import { settings } from '../../../settings/server';
 import { userScopes } from '../oauthScopes';
@@ -9,7 +10,9 @@ import { getRedirectUri } from './getRedirectUri';
 export async function getOAuthAuthorizationUrl() {
 	const state = Random.id();
 
-	await Settings.updateValueById('Cloud_Workspace_Registration_State', state);
+	await updateAuditedBySystem({
+		reason: 'getOAuthAuthorizationUrl',
+	})(Settings.updateValueById, 'Cloud_Workspace_Registration_State', state);
 
 	void notifyOnSettingChangedById('Cloud_Workspace_Registration_State');
 

apps/meteor/app/cloud/server/functions/removeWorkspaceRegistrationInfo.ts

@@ -1,6 +1,7 @@
 import { Settings, WorkspaceCredentials } from '@rocket.chat/models';
 
 import { retrieveRegistrationStatus } from './retrieveRegistrationStatus';
+import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 
 export async function removeWorkspaceRegistrationInfo() {
@@ -24,10 +25,12 @@ export async function removeWorkspaceRegistrationInfo() {
 
 	const promises = settingsIds.map((settingId) => {
 		if (settingId === 'Show_Setup_Wizard') {
-			return Settings.updateValueById('Show_Setup_Wizard', 'in_progress');
+			return updateAuditedBySystem({
+				reason: 'removeWorkspaceRegistrationInfo',
+			})(Settings.updateValueById, 'Show_Setup_Wizard', 'in_progress');
 		}
 
-		return Settings.resetValueById(settingId, null);
+		return updateAuditedBySystem({ reason: 'removeWorkspaceRegistrationInfo' })(Settings.resetValueById, settingId, null);
 	});
 
 	(await Promise.all(promises)).forEach((value, index) => {

apps/meteor/app/cloud/server/functions/saveRegistrationData.ts

@@ -2,6 +2,7 @@ import { applyLicense } from '@rocket.chat/license';
 import { Settings } from '@rocket.chat/models';
 
 import { syncCloudData } from './syncWorkspace/syncCloudData';
+import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 import { settings } from '../../../settings/server';
 
@@ -59,15 +60,24 @@ async function saveRegistrationDataBase({
 		{ _id: 'Cloud_Workspace_Registration_Client_Uri', value: registration_client_uri },
 	];
 
-	const promises = [...settingsData.map(({ _id, value }) => Settings.updateValueById(_id, value))];
+	const promises = [
+		...settingsData.map(({ _id, value }) =>
+			updateAuditedBySystem({
+				reason: 'saveRegistrationDataBase',
+			})(Settings.updateValueById, _id, value),
+		),
+	];
 
 	(await Promise.all(promises)).forEach((value, index) => {
 		if (value?.modifiedCount) {
 			void notifyOnSettingChangedById(settingsData[index]._id);
 		}
 	});
 
-	// TODO: Why is this taking so long that needs a timeout?
+	// Question: Why is this taking so long that needs a timeout?
+	// Answer: we use cache that requires a 'roundtrip' through the db and the application
+	// we need to make sure that the cache is updated before we continue the procedures
+	// we don't actually need to wait a whole second for this, but look this is just a retry mechanism it doesn't mean that actually takes all this time
 	for await (const retry of Array.from({ length: 10 })) {
 		const isSettingsUpdated =
 			settings.get('Register_Server') === true &&

apps/meteor/app/cloud/server/functions/startRegisterWorkspace.ts

@@ -5,6 +5,7 @@ import { buildWorkspaceRegistrationData } from './buildRegistrationData';
 import { retrieveRegistrationStatus } from './retrieveRegistrationStatus';
 import { syncWorkspace } from './syncWorkspace';
 import { SystemLogger } from '../../../../server/lib/logger/system';
+import { updateAuditedBySystem } from '../../../../server/settings/lib/auditedSettingUpdates';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 import { settings } from '../../../settings/server';
 
@@ -15,7 +16,6 @@ export async function startRegisterWorkspace(resend = false) {
 
 		return true;
 	}
-
 	(await Settings.updateValueById('Register_Server', true)).modifiedCount && void notifyOnSettingChangedById('Register_Server');
 
 	const regInfo = await buildWorkspaceRegistrationData(undefined);
@@ -48,7 +48,9 @@ export async function startRegisterWorkspace(resend = false) {
 		return false;
 	}
 
-	await Settings.updateValueById('Cloud_Workspace_Id', payload.id);
+	await updateAuditedBySystem({
+		reason: 'startRegisterWorkspace',
+	})(Settings.updateValueById, 'Cloud_Workspace_Id', payload.id);
 
 	return true;
 }

apps/meteor/app/cloud/server/functions/supportedVersionsToken/supportedVersionsToken.ts

@@ -12,6 +12,7 @@ import { supportedVersions as supportedVersionsFromBuild } from '../../../../uti
 import { buildVersionUpdateMessage } from '../../../../version-check/server/functions/buildVersionUpdateMessage';
 import { generateWorkspaceBearerHttpHeader } from '../getWorkspaceAccessToken';
 import { supportedVersionsChooseLatest } from './supportedVersionsChooseLatest';
+import { updateAuditedBySystem } from '../../../../../server/settings/lib/auditedSettingUpdates';
 
 declare module '@rocket.chat/core-typings' {
 	interface ILicenseV3 {
@@ -66,7 +67,15 @@ const cacheValueInSettings = <T extends SettingValue>(
 		SystemLogger.debug(`Resetting cached value ${key} in settings`);
 		const value = await fn();
 
-		(await Settings.updateValueById(key, value)).modifiedCount && void notifyOnSettingChangedById(key);
+		if (
+			(
+				await updateAuditedBySystem({
+					reason: 'cacheValueInSettings reset',
+				})(Settings.updateValueById, key, value)
+			).modifiedCount
+		) {
+			void notifyOnSettingChangedById(key);
+		}
 
 		return value;
 	};